Uncovering SAP vulnerabilities: 

Reversing and breaking 

the Diag protocol 

Martin Gallo - Core Security 
Defcon 20 -July 2012 



EIsecurity 



Agenda 



• Introduction 

• Motivation and related work 

• SAP Netweaver architecture and protocols layout 

• Dissecting and understanding the Diag protocol 

• Results and findings 

• Defenses and countermeasures 

• Conclusion and future work 



PAG E2 



aalSECURITY 



Introduction 



PAG E3 



flaMSECURITY 



Introduction 



• Leader business software provider 

• Sensitive enterprise business processes runs on SAP 
systems 

• SAP security became a hot topic 

• Some components still not well covered 

• Proprietary protocols used at different components 
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Introduction 

• Dynamic Information and Action Gateway (Diag) protocol 
(aka "SAP GUI protocol") 

• Link between presentation layer (SAP GUI) and 
application layer (SAP Netweaver) 

• Present in every SAP NW ABAP AS 

• Compressed but unencrypted by default 

• TCP ports 3200 to 3298 
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Motivation and related work 
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Previous work on Diag protocol 
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Motivation 

• Previous work mostly focused on decompression 

• Protocol inner workings remains unknown 

• No practical tool for penetration testing 

Only 2 out of -2300 
security fixes 
published by SAP 

since 2009 affected 
components related 
to Diag 




2009 2010 2011 2012 
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SAP Netweaver architecture and 

protocols layout 
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SAP Netweaver architecture 
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SAP Database Schema 
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Relevant concepts and components 



• ABAP 

• SAP's programming language 

• Dispatcher and work processes (wp) 

• Dispatcher: distribute user requests across wp 

• Work processes: handles specific tasks 

• Types: dialog, spool, update, background, lock 

• Dialog processing 

• Programming method used by ABAP 

• Separates business programs in screens and dialog 
steps 
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SAP Protocols layout 
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Dissecting and understanding 

the Diag protocol 



PAGE 1 6 



flaMSECURITY 



Dissecting and understanding the Diag 
protocol 



Approach 

• 'Black-box' 

• No binary reverse engineering techniques were used 

• Enable system/developer traces (GUI/app server) 

• Analyze network and application traces 

• Learn by interacting with the components (GUI/app 
server) 

• Continuous improvement of test tools based on gained 
knowledge 
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Dissecting and understanding the Diag 
protocol 



Nl (Network Interface) Protocol 




Dissecting and understanding the Diag 
protocol 

Initialization 

• Identified only two relevant protocol states: 

• Not initialized 

• Initialized 

• User's context assigned in shared memory 

• Started by GUI application 

• Only first packet 

• Always uncompressed 
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Dissecting and understanding the Diag 
protocol 

DP Header 

• 200 bytes length 

• Two different semantics 

• IPC (inter process communication) 

• Used in communications between dispatcher and work 
processes 

• Synchronization and status 

• Network 

• Most fields filled with default values 

• Relevant fields: 

Terminal name, Length 

• Only present during initialization 
(first packet) 
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Dissecting and understanding the Diag 
protocol 

Diag Header 



Compression 
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Dissecting and understanding the Diag 
protocol 

Compression 

• Enabled by default 

• Uses two variants of Lempel-Ziv Adaptive Compression 
Algorithm 

• LZH (Lempel-Ziv-Huffman) LZ77 

• LZC (Lempel-Ziv-Welch-Thomas) LZ78 

• Same implementation as SAP's MaxDB open source 
project 

• Can be disabled in GUI by setting 
TDW_NOCOMPRESS environment 
variable 
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Dissecting and understanding the Diag 
protocol 

Compression Header 



LZH: compression level 
LZC: max # of bits per code 
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Dissecting and understanding the Diag 
protocol 

Payload 
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Dissecting and understanding the Diag 
protocol 



APPL/APPL4 items 



APPLOxlO 
APPL4:0x12 




APPL: 2 bytes 
APPL4: 4 bytes 
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Diag protocol security highlights 



Protocol version 

• APPL item included in payload during initialization 

• Can disable compression using version number "200" 

Authentication 

• Performed as a regular dialog step 

• Set user's context on work processes shared memory 

Embedded RFC calls 

• APPL item that carries RFC calls in both directions 

• Server doesn't accept RFC calls until authenticated 
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Results and findings 
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Packet dissection 



• Wireshark plug-in written in C/C++ 




• Nl Protocol dissector _/ 

• TCP reassembling V 

• Router Protocol dissector 

• Basic support 

• Diag protocol dissector 

• Decompression 

• DP header / Diag Header / Compression Header 

• Item ID/SID identification and dissection of relevant items 

• Call RFC dissector for embedded calls 

• RFC protocol dissector 

• Basic coverage of relevant parts 
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Packet dissection 
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Packet crafting 



• Scapy classes 

• SAPNi 

• SAPDiagDP (DP Header) 

• SAPDiag (Diag header + compression) 

• SAPDiagltem 

• Custom classes for relevant Diag items 

• PoC and example scripts 

• Information gathering 

• Login Brute Force 

• Proxy/MITM script 

• Diag server 



PAG E3 1 



aalSECURITY 



Fuzzing approach 



• Fuzzing scheme using 

• scapy classes 

• test cases generation 

• delivery 

• windbg 

• monitoring 

• xmlrpc 

• syncronization 

• Monitoring of all work processes 
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Vulnerabilities found 

• 6 vulnerabilities released on May 2012 affecting SAP NW 
7.01/7.02, fix available on SAP Note 168710 

• Unauthenticated remote denial of service when 
developed traces enabled 

• CVE-201 2-2511 - DiagTraceAtoms function 

• CVE-201 2-251 2 - DiagTraceStreaml function 

• CVE-201 2-261 2 - DiagTraceHex function 
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Vulnerabilities found 



• Unauthenticated remote denial of service 

• CVE-201 2-251 3 - Diaginput function 

• CVE-201 2-251 4 - DiagiEventSource function 

• Unauthenticated remote code execution when developer 
traces enabled 

• CVE-201 2-2611 - DiagTraceR3lnfo function 

• Stack-based buffer overflow while parsing ST_R3INFO 
CODEPAGE item 

• Thanks to Francisco Falcon (@fdfalcon) for the exploit 
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Attack scenarios 

Target applications servers 
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Attack scenarios 



Target GUI users 
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Defenses and countermeasures 
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Defenses and countermeasures 



• Restrict network access to dispatcher service 

• TCP ports 3200-3298 

• Use application layer gateways 

• Implement SNC client encryption 

• Provides authentication and encryption 

• Available for free at SAP Marketplace since 201 1 

• See SAP Note 1 643878 

• Restrict use of GUI shortcuts 

• SAP GUI > 7.20 disabled by default 

• See SAP Note 1 397000 
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Defenses and countermeasures 



• Use WebGUI with HTTPS 

• See SAP Note 314568 

• Patch regularly 

• Patch Tuesday 

• RSECNOTE program, see SAP Note 888889 

• Patch CVEs affecting Diag 

• Look at CORE'S advisory for mitigation/countermeasures 

• See SAP Note 168710 

• Test regularly 
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Conclusion and future work 
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Conclusion 



• Protocol details now available to the security community 

• Practical tools for dissection and crafting of protocol's 
messages published 

• New vectors for testing and assessing SAP 
environments 

• Discussed countermeasures and defenses 
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Future work 



• Security assessment and fuzzing of GUI/app server. 

• Complete dissection of embedded RFC calls. 

• Full implementation of attack scenarios 

• Integration with external libraries and exploitation tools. 

• Security assessment of SNC and coverage of encrypted 
traffic. 



PAG E44 



aalSECURITY 



Q & A 
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Thank you 



! 



Thanks to 

Diego, Flavio, Dana, Wata and Euge 
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